Skip to content

Commit

Permalink
Merge branch 'main' into httproute-1000
Browse files Browse the repository at this point in the history
  • Loading branch information
zirain authored Oct 9, 2024
2 parents 8032000 + 87b8418 commit ca27eaa
Show file tree
Hide file tree
Showing 277 changed files with 9,796 additions and 4,974 deletions.
22 changes: 11 additions & 11 deletions .github/workflows/build_and_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
lint:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps
# Generate the installation manifests first, so it can check
# for errors while running `make -k lint`
Expand All @@ -31,14 +31,14 @@ jobs:
gen-check:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps
- run: make -k gen-check

license-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps
- run: make -k licensecheck

Expand All @@ -48,26 +48,26 @@ jobs:
contents: read # for actions/checkout
id-token: write # for fetching OIDC token
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

# test
- name: Run Coverage Tests
run: make go.test.coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
fail_ci_if_error: true
files: ./coverage.xml
name: codecov-envoy-gateway
verbose: true
use_oidc: true
use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}

build:
runs-on: ubuntu-latest
needs: [lint, gen-check, license-check, coverage-test]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Build EG Multiarch Binaries
Expand All @@ -87,7 +87,7 @@ jobs:
matrix:
version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Download EG Binaries
Expand Down Expand Up @@ -116,7 +116,7 @@ jobs:
matrix:
version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Download EG Binaries
Expand All @@ -143,7 +143,7 @@ jobs:
if: ${{ ! startsWith(github.event_name, 'push') }}
needs: [build]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Setup Graphviz
Expand All @@ -170,7 +170,7 @@ jobs:
runs-on: ubuntu-latest
needs: [conformance-test, e2e-test]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Download EG Binaries
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,18 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Initialize CodeQL
uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
with:
category: "/language:${{matrix.language}}"
4 changes: 2 additions & 2 deletions .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.event.pull_request.head.sha }}

Expand All @@ -48,7 +48,7 @@ jobs:
contents: write
steps:
- name: Git checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
submodules: true
ref: ${{ github.event.pull_request.head.sha }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/experimental_conformance.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
matrix:
version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

# gateway api experimental conformance
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/latest_release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
benchmark-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Setup Graphviz
Expand Down Expand Up @@ -57,7 +57,7 @@ jobs:
permissions:
contents: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Generate Release Manifests
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/license-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,10 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Run scanner
uses: google/osv-scanner-action/osv-scanner-action@f0e6719deb666cd19a0b56bc56d01161bd848b4f # v1.8.5
uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0
with:
# TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved
scan-args: |-
--skip-git
--experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/osv-scanner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ permissions:
jobs:
scan-scheduled:
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0
permissions:
actions: read
contents: read
Expand All @@ -33,13 +33,12 @@ jobs:
scan-pr:
if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0
permissions:
actions: read
contents: read
security-events: write
with:
# TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved
scan-args: |-
--skip-git
--recursive
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
benchmark-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: ./tools/github-actions/setup-deps

- name: Setup Graphviz
Expand Down Expand Up @@ -50,7 +50,7 @@ jobs:
permissions:
contents: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

- name: Extract Release Tag and Commit SHA
id: vars
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false

Expand All @@ -40,6 +40,6 @@ jobs:
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

- name: Build an image from Dockerfile
run: |
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
[![OSV-Scanner](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml)
[![Trivy](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml)

![Envoy Gateway Logo](https://github.com/cncf/artwork/blob/main/projects/envoy/envoy-gateway/horizontal/color/envoy-gateway-horizontal-color.svg)

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or
Kubernetes-based application gateway.
[Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies.
Expand Down
22 changes: 22 additions & 0 deletions api/v1alpha1/accesslogging_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,30 @@ type ProxyAccessLogSetting struct {
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=50
Sinks []ProxyAccessLogSink `json:"sinks"`
// Type defines the component emitting the accesslog, such as Listener and Route.
// If type not defined, the setting would apply to:
// (1) All Routes.
// (2) Listeners if and only if Envoy does not find a matching route for a request.
// If type is defined, the accesslog settings would apply to the relevant component (as-is).
// +kubebuilder:validation:Enum=Listener;Route
// +optional
// +notImplementedHide
Type *ProxyAccessLogType `json:"type,omitempty"`
}

type ProxyAccessLogType string

const (
// ProxyAccessLogTypeListener defines the accesslog for Listeners.
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
ProxyAccessLogTypeListener ProxyAccessLogType = "Listener"
// ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
ProxyAccessLogTypeRoute ProxyAccessLogType = "Route"
)

type ProxyAccessLogFormatType string

const (
Expand Down
38 changes: 34 additions & 4 deletions api/v1alpha1/authorization_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,11 @@ type Authorization struct {
// AuthorizationRule defines a single authorization rule.
type AuthorizationRule struct {
// Name is a user-friendly name for the rule.
// If not specified, Envoy Gateway will generate a unique name for the rule.n
// If not specified, Envoy Gateway will generate a unique name for the rule.
//
// +optional
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Name *string `json:"name,omitempty"`

// Action defines the action to be taken if the rule matches.
Expand All @@ -45,7 +48,8 @@ type AuthorizationRule struct {
// Principal specifies the client identity of a request.
// A client identity can be a client IP, a JWT claim, username from the Authorization header,
// or any other identity that can be extracted from a custom header.
// Currently, only the client IP is supported.

// If there are multiple principal types, all principals must match for the rule to match.
//
// +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt))",message="at least one of clientCIDRs or jwt must be specified"
type Principal struct {
Expand All @@ -60,7 +64,8 @@ type Principal struct {
// You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
// the `ClientTrafficPolicy` to configure how the client IP is detected.
// +optional
ClientCIDRs []CIDR `json:"clientCIDRs"`
// +kubebuilder:validation:MinItems=1
ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"`

// JWT authorize the request based on the JWT claims and scopes.
// Note: in order to use JWT claims for authorization, you must configure the
Expand All @@ -76,12 +81,23 @@ type Principal struct {
//
// +kubebuilder:validation:XValidation:rule="(has(self.claims) || has(self.scopes))",message="at least one of claims or scopes must be specified"
type JWTPrincipal struct {
// Provider is the name of the JWT provider that used to verify the JWT token.
// In order to use JWT claims for authorization, you must configure the JWT
// authentication with the same provider in the same `SecurityPolicy`.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Provider string `json:"provider"`

// Claims are the claims in a JWT token.
//
// If multiple claims are specified, all claims must match for the rule to match.
// For example, if there are two claims: one for the audience and one for the issuer,
// the rule will match only if both the audience and the issuer match.
//
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=16
Claims []JWTClaim `json:"claims,omitempty"`

// Scopes are a special type of claim in a JWT token that represents the permissions of the client.
Expand All @@ -90,8 +106,11 @@ type JWTPrincipal struct {
// as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
//
// If multiple scopes are specified, all scopes must match for the rule to match.
//
// +optional
Scopes []string `json:"scopes,omitempty"`
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=16
Scopes []JWTScope `json:"scopes,omitempty"`
}

// JWTClaim specifies a claim in a JWT token.
Expand All @@ -101,10 +120,14 @@ type JWTClaim struct {
// represent the full path to the claim.
// For example, if the claim is in the "department" field in the "organization" field,
// the name should be "organization.department".
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Name string `json:"name"`

// ValueType is the type of the claim value.
// Only String and StringArray types are supported for now.
//
// +kubebuilder:validation:Enum=String;StringArray
// +kubebuilder:default=String
// +unionDiscriminator
Expand All @@ -115,9 +138,16 @@ type JWTClaim struct {
// If the claim is a string type, the specified value must match exactly.
// If the claim is a string array type, the specified value must match one of the values in the array.
// If multiple values are specified, one of the values must match for the rule to match.
//
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=16
Values []string `json:"values"`
}

// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
type JWTScope string

type JWTClaimValueType string

const (
Expand Down
7 changes: 7 additions & 0 deletions api/v1alpha1/backendtrafficpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,13 @@ type BackendTrafficPolicySpec struct {
// +optional
// +notImplementedHide
Compression []*Compression `json:"compression,omitempty"`

// ResponseOverride defines the configuration to override specific responses with a custom one.
// If multiple configurations are specified, the first one to match wins.
//
// +optional
// +notImplementedHide
ResponseOverride []*ResponseOverride `json:"responseOverride,omitempty"`
}

// +kubebuilder:object:root=true
Expand Down
Loading

0 comments on commit ca27eaa

Please sign in to comment.